Solved

IIS 6.0 Win2003 Server asp login & security

Posted on 2004-09-20
6
295 Views
Last Modified: 2009-07-29
I'm looking for a full working example, or even a purchased product, that will -

Have a login.asp page containing 2 text boxes (username & password). User submits page to authenticatepage.asp, where a database is searched to determine if it is a valid username & pwd. Depending on the username, a specific asp page will be opened. I need to use session objects (I think) since I cannot have the user bookmark the page and return to it without going through the logIn page.

Some of the pages for the user are asp and others are html.

Thanks

0
Comment
Question by:Malek103197
  • 3
  • 2
6 Comments
 
LVL 31

Expert Comment

by:alorentz
ID: 12101639
What do you want?  This site is to help with problems....not write code for you.
0
 
LVL 2

Expert Comment

by:Coolhand2120
ID: 12102201
Make an HTML page with the two text inputs (username & password) and a submit button.  Then in the form tag in the action property (<form action="****" where *** is your submit page).  This will send the user to this page when they click submit.  You'll need to connect to a database and because you don't specify what kind of database you wish to use, even if EE did write code for you....  Then you can use response.redirect to point the user to the 'logged on' page or the 'not logged on' page.

ANYHOW if you do know what your database is post it and I'll help with HOW to do it.  I'm totaly willing to spend an absurd amout of time teaching you how to create this.

I'd suggest using cookies, session objects are slow and unwieldy.
Don't forget !  Your in the ASP section of EE so we are assuming your using ASP and a server that can use ASP.
If you have no clue what I'm talking about, hire someone that does, you shouldn't be doing this.
Even if you purchse a program you'll still need to pruchase a database (SQL, Access etc.).

-Coolhand2120
0
 

Author Comment

by:Malek103197
ID: 12103111
Ok, I'm trying to make sense of this script...

The way interpret it, is that when a page is opened and there is not a session UID, the the user will be directed to the logIn page, but I'm not clear on what the author refers to HTTP_REFERRER.
Need a bit of help understanding this script.

Thanks

Every Page
The script is implemented by including the following code above the <html> tag of every page;

<%
Dim HTTP_REFERRER
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
If Not(IsObject(Session("UID"))) Then
If Session("UID") = "" Then
HTTP_REFERRER = Request.ServerVariables("URL")
If Request.QueryString <> "" Then HTTP_REFERRER = HTTP_REFERRER & "?" & Request.QueryString
Response.Redirect "login.asp?HTTP_REFERRER=" & Server.URLEncode(HTTP_REFERRER)
End If
End If
%>



Login.asp -
Script
If the script on the requested page determines that the UID session variable has not been set, the users is redirected to the login page. The login page contains the following code above the <html> tag;

<%
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
Dim HTTP_REFERRER, UserObject
Status = "Please log in."
HTTP_REFERRER = Request("HTTP_REFERRER")
If Request.Form("username") <> "" Then
If Login Then
Session("UID") = UserObject.Item("username")
'Set Session("UID") = UserObject
If HTTP_REFERRER  = "" Then
Response.Redirect "default.htm"
Else
Response.Redirect HTTP_REFERRER
End If
Else
Status = "Invalid Login... Please Try Again."
End If
End If

Function Login
Dim conn, rs, sql, dbFIle
dbFile = "login.mdb"
Set conn = Server.CreateObject("ADODB.Connection")
conn.open "driver={Microsoft Access Driver (*.mdb)};dbq=" & Server.MapPath(dbFile) & ";"
Set rs = Server.CreateObject("ADODB.Recordset")
sql = "SELECT * FROM users WHERE username = '" &
 Request.Form("Username") & "' AND password = '" & Request.Form("Password")& "'"
rs.Open sql, conn, 3, 3
If Not rs.EOF Then
Set UserObject = CreateObject("Scripting.Dictionary")
For each field in rs.Fields
UserObject.Add field.name, field.value
Next
Login = True
Else
Login = False
End If
rs.Close
set rs = nothing
conn.Close
set conn = nothing
End Function
%>
<html>
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Accepted Solution

by:
Coolhand2120 earned 250 total points
ID: 12106800
Wow... well I can tell you that this is an odd script.  HTTP_REFERER is very very unreliable, %50 of the time it dosen't work.  It's supposed to return the URL of the page that sent the user to the current page.  If you want to put the user back to the page they just came from I'd use client side javascript location.history.  But I don't think you're intrested in this.

THIS:

<%
Dim HTTP_REFERRER
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
If Not(IsObject(Session("UID"))) Then
If Session("UID") = "" Then
HTTP_REFERRER = Request.ServerVariables("URL")
If Request.QueryString <> "" Then HTTP_REFERRER = HTTP_REFERRER & "?" & Request.QueryString
Response.Redirect "login.asp?HTTP_REFERRER=" & Server.URLEncode(HTTP_REFERRER)
End If
End If
%>


would be easier if it said:

<%

if request.cookies("userID") <> "" then
  userID = request.cookies("userID")
else
  response.redirect "logon.asp"
end if

%>



This:

<%
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
Dim HTTP_REFERRER, UserObject
Status = "Please log in."
HTTP_REFERRER = Request("HTTP_REFERRER")
If Request.Form("username") <> "" Then
If Login Then
Session("UID") = UserObject.Item("username")
'Set Session("UID") = UserObject
If HTTP_REFERRER  = "" Then
Response.Redirect "default.htm"
Else
Response.Redirect HTTP_REFERRER
End If
Else
Status = "Invalid Login... Please Try Again."
End If
End If

Function Login
Dim conn, rs, sql, dbFIle
dbFile = "login.mdb"
Set conn = Server.CreateObject("ADODB.Connection")
conn.open "driver={Microsoft Access Driver (*.mdb)};dbq=" & Server.MapPath(dbFile) & ";"
Set rs = Server.CreateObject("ADODB.Recordset")
sql = "SELECT * FROM users WHERE username = '" &
 Request.Form("Username") & "' AND password = '" & Request.Form("Password")& "'"
rs.Open sql, conn, 3, 3
If Not rs.EOF Then
Set UserObject = CreateObject("Scripting.Dictionary")
For each field in rs.Fields
UserObject.Add field.name, field.value
Next
Login = True
Else
Login = False
End If
rs.Close
set rs = nothing
conn.Close
set conn = nothing
End Function
%>


Would be easier if it said:
Your logon.asp page should have this script at the top

<%
if request.form("Username") <> "" then

'This block below will connect to your database to look up stuff
 Set rs = Server.CreateObject("ADODB.Recordset")
 rs.ActiveConnection = "driver={Microsoft Access Driver (*.mdb)};dbq=" & Server.MapPath("login.mdb") & ";"
 rs.Source = "Select * from users where username = '" & request.form("username") & "' and password = '" & request.form("password") & "'"
 rs.CursorType = 0
 rs.CursorLocation = 2
 rs.LockType = 1
 rs.Open()

  'If the recordset was empty (no matching username / password)
 if rs.eof or rs.bof then
   response.redirect "logon.asp?badpassword=1"    'This is where it would send users that type bad u/p
 else
   response.cookies("userID") = request.form("username")   'this sets the username into a cookie called "userID" which you can check later and see if its empty or not
   response.redirect "default.asp"  'Redirect to wherever you want to put the user after they logon correctly
 end if

'Clean up DB connection objects

  rs.close
  set rs = nothing

end if
%>

logon.asp should have this after the asp part:

<form method="post" action="logon.asp">

<input name="username" type="text">
<input name="password" type="password">
<input type="submit">

</form>

Sorry I pretty much rewrote your script there, if you still have probelms just post again!

-Coolhand2120
0
 

Author Comment

by:Malek103197
ID: 12112242
Thanks Coolhand2120, that is a lot simpler and very understandable.
0
 
LVL 2

Expert Comment

by:Coolhand2120
ID: 12112668
NP.  Let me know if it works out for you.

-Coolhand2120
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now